[PacketFence-users] webui AD authentification with pam

[WYGODZKI David]

Hello world.

This message talk about AD in admin portal and using pluggable authentication 
module (pam)

N.B: ip addresses and example domain taken from rfcs 2606 and 5737

We have made some modification tu use Pam.
In fact the Pf box is part of the AD domain  (aka is a member server thanks to 
samba)

An the a user can locally login using his AD credentials (his or her Windows 
user/password)

So we can use it in php ...

We add the following function to /usr/local/pf/html/admin/login.php

function validate_user_pam($user,$pass,$hash='') {
        global $logger;

        if ($hash != '') {
                return $hash;
        }
        if (!extension_loaded("pam")) {
                $logger->info("pam auth is not loaded");
                return false;
        } 

        $status=null;
        $result = pam_auth("WINDOMAIN+" . $user,$pass,$status);
        if (!$result) {
        $logger->info("Could not pam as a user. Password is not good or the 
user doesn't have the rights to pam");
        return false;
        } 
        return md5($pass);
} #end validate_user_pam


And add a condition in the same file to function validate_user

if($user!="admin") {
            $result = validate_user_pam($user,$pass,$hash);
            }
    if (!$result) {
        $result = validate_user_flat_file($user,$pass,$hash);
    }


The /etc/pam.d/php file 

#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] 
pam_securetty.so
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so 
auth       sufficient   pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    sufficient   pam_winbind.so 
account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022


in /etc/php.ini in general config 

extension=pam.so
;pam.servicename= php   (not needed )


Relevant lines in /etc/samba/smb.conf

workgroup = WINDOMAIN
   password server = 192.0.2.101 192.0.2.201 198.51.100.101
   realm = WINDOMAIN
   security = ads
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = +
   template homedir = /home/winnt/%D/%U
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = false
   server string = Samba Server Version %v
   netbios name = PFSERVER01
   prefered master = no
   encrypt passwords = yes
   winbind enum users = yes
   winbind enum groups = yes
   wins server 192.0.2.101 192.0.2.201 198.51.100.101



Relevant lines in /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WINDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5


[realms]

 WINDOMAIN = {
  kdc = 192.0.2.101
  kdc = 192.0.2.201
  kdc = 198.51.100.101
}

[domain_realm]
 windomain = WINDOMAIN
 .windomain = WINDOMAIN
 example.org = WINDOMAIN
 .example.org = WINDOMAIN

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


We had to do things like 

net ads join -W WINDOMAIN  -n pfserver01 -U domainadministrator

Control the join

wbinfo -u 

...Willl return all the domain user


Yet some issues right now.

The webui user have to be defined in the /us/local/pf/conf/admin.perm
 In the correct group
Aka the password is validated against AD, but the rights are checked in 
admin.perm

We plan to check against the AD group

This I a bug or a feature : if AD not available the  users are also defined 
locally , they can still log-in (with the same username).

NB  no need to add the domain in the login box ( WINDOMAIN\userpf or 
WINDOMAIN+userpf)

Using pam we can "easily" add new auth methods (ldap, local , ....)

In fact we can add a conf/authentication/pam.pm but it' another matter of 
debate....


DW







This mail was fully checked by Actiris Mail Antivirus.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users